Receipt of an invalid XMPP Jingle "session-initiate" iq missing certain fields causes libpurple to dereference a NULL pointer.

Paul Aurich paul at darkrain42.org
Fri Dec 2 01:40:08 EST 2011 

And Paul Aurich spoke on 10/24/2011 07:48 PM, saying:
> On Sun, Oct 23, 2011 at 11:49:17PM +0200, Thijs Alkemade wrote:
>> Hello all,
>>
> 
> <snip/> (missing "media" attr on "description" element)
> <snip/> (missing "creator" on "content" element)
> 
>>
>> According to the spec
>> (http://xmpp.org/extensions/xep-0167.html#schema-content), a
>> "<description>" element is required to have a "media" attribute, but
>> that is missing here.
>> libpurple/protocols/jabber/jingle/rtp.c:jingle_rtp_parse_codecs()
>> checks with strcmp if the media attribute is "video" or "audio", but
>> that means it will crash if it is NULL. Also, "<content>" is required
>> to have a "creator", but excluding that also causes a similar crash
>> with strcmp in jingle_rtp_init_media().

...

> Yep, thanks for reporting these.  I audited further strcmp uses, and
> believe the following will also crash (some tested, but constructing
> one side of a Jingle flow by hand [on the fly] is painful)
> 
>    * jingle_handle_content_modify ('senders' is NULL, requires some
>      valid Jingle data structs locally)
>    * jingle_session_find_content() (called in most of the
>      jingle_handle_content_* functions), if 'name' attribute is missing
>    * jingle_session_find_pending_content() (via content-accept and
>      content-reject)
> 
> All the other uses I looked at didn't appear to be crashers.  I would
> still like to replace all with purple_strequal (except where relatively
> obvious that something is not-NULL or it's more appropriate to
> explicitly handle NULLs first, like in jingle_rtp_init_media)
> 
> jingle_rtp_init_media also appears to be leaking memory and refs to the
> JingleSession under error conditions.  I need to look into that further.
> 

Thanks, Mark, for nudging me about this.

I'd like to propose the attached patch, which fixes the two crashes Thijs
identified and the others I noticed.

I'm not certain about the exit cases in jingle_rtp_init_media (the exit
cases in jingle_rtp_init_media may need to be calling purple_media_end(),
or conversely, the one that calls purple_media_end() may need to be
free/unref:ing some things.)  Regardless, crashing bad, and this should no
longer crash.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: proposed-jingle-crash-fix.patch
Type: text/x-patch
Size: 5705 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20111201/1ab07547/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20111201/1ab07547/attachment.pgp>

More information about the security mailing list